by Ryan Flores, Stephen Hilt, and Akira Urano – Trend Micro Research
The world population is expected to reach 9.8 billion in 2050, according to a study published in 2017 by the United Nations Department of Economic and Social Affairs. The same study also shows that regions across the globe had a recent rise in life expectancy. To provide for this steadily growing and longer–living population, the amount of food that is being produced today needs to be roughly doubled by 2050, preferably without converting any more land into farmland. This puts a considerable burden on the food production industry to produce more food more efficiently but with less environmental impact. To meet expectations, farmers, growers, producers, and food processers are using high-tech tools and systems to optimize production conditions, reduce waste, and make efficient use of available resources.
However, the adoption of new technology also brings challenges. There has been a growing concern that the devices and software used in food and agriculture pose significant risks to both enterprises and customers. In 2015, the U.S. Department of Homeland Security already identified cybersecurity as a key issue in this sector, and outlined a plan for reducing sector-specific risks. These concerns continue to grow, and considering the potential fallout — from food safety issues that could affect the lives of consumers to crop and livestock sabotage that could ruin an enterprise — it is undeniable that cybersecurity needs to be a bigger priority for people and organizations involved in the food production industry.
The food production industry is already using the internet of things (IoT) to help make production more efficient. As a prime example, farms and other such sites are often remotely located and crops are grown far from where a farmer operates, just as fish pens can be in the middle of the sea, miles offshore. Remote monitoring devices with wireless mobile connectivity removes the physical need for visiting and supervising sites.
Food production involves not only the growing and production of food items, but also storage, processing, waste management, and other tasks. The IoT is also used in most of these activities: Connected devices and systems can help manage large tracts of land, track and feed large herds of animals, maintain specific storage environments, and more. As base technologies used in the IoT (e.g., sensors, boards, antennas, and batteries) become cheaper, and cellular data connectivity becomes ubiquitous in rural and agricultural areas, we foresee wider adoption of the IoT in this industry in the near future.
The IoT can be used in food production in a variety of ways:
Agriculture started in specific environments where farming was possible. But with the help of technology, people were able to expand optimal growing environments into regions where it was not previously feasible. The same is true for different forms of livestock. But as an unfortunate consequence, attackers who wish to sabotage the food production process can simply alter the environmental conditions to destroy crops or even kill livestock. In February 2015, for instance, US$1.7 million worth of chickens were killed when a disgruntled contract grower tampered with the temperature settings of the chicken houses in a farm in South Carolina, U.S.A. And in July 2018, 1,200 pigs died in an automated pig barn in the Netherlands when a temperature alert was ignored.
The use of the IoT in food production is undeniably beneficial, but there are critical cybersecurity issues that cannot be overlooked. Since IoT-related threats are relatively new to this industry, many people and organizations are not prepared for or even aware of the industry-specific risks:
IoT systems in food production are used to control and maintain the parameters of a growing environment within very narrow thresholds. A small deviation from the threshold — as can be caused by a cyberattack — can have a catastrophic impact on the system itself and wide-ranging effects on the livestock or agricultural areas maintained by the system.
In our research, we used Shodan data to survey vulnerable systems online. We found that there were a number of exposed systems within the food production industry (see Tables 1 and 2). Such systems are connected to the internet through virtual network computing (VNC), using the default port and without password authentication. In effect, anyone on the internet can connect to these systems and manipulate them remotely.
|Category||Number of unique IP addresses|
|Aquaculture (water management)||107|
|GPS base station for tractor||2|
|Ventilation control for poultry||2|
|Aquaculture (oxygen generator)||1|
Table 1. Exposed systems
|Country||Number of unique IP addresses|
Table 2. Breakdown of exposed systems by country
Figure 2. ISOBUS tractor
Figure 3. Silo management system
Figure 4. Irrigation system
Figure 5. Aquaculture system
Figure 6. Food processing machine (for cooking sausages)
All of these exposed systems allow anyone to connect and read the data without authentication. However, there are some systems that require a username and password if any of the parameters or set points are modified or if any commands are issued. Having this type of additional authentication for any modification at least gives a small amount of security to prevent tampering and unauthorized modification.
Apart from VNC, we also found some exposed web user interfaces that are connected to food and agriculture systems (see Figures 7 and 8). In some cases, as in the VNC examples, the control panels are accessible without password authentication. But even if a username and password are required to gain access to the system, it is possible to compromise the system using existing exploit codes from publicly available sources.
Figure 7. Web-accessible control panel for an aquaculture system
(in addition to VNC remote access to the same system)
Figure 8. Wireless router connected to farming devices
Some vendors provide automated recording of activities on food production systems in order to comply with regulations and guidelines, and they can generate documents to submit to food regulation authorities or customs agencies if needed. The information comes from daily input by producers or by automated feed from devices and sensors into databases or cloud services. Any falsification of data in these systems, erroneous data from sensors, or data compromise due to a cyber incident affects the integrity of the documents and makes it unsuitable for proper audit and tracing. Tracing in particular is important in case of food safety issues where authorities need to identify a specific cause. Any modification of information makes the investigation more difficult and corrupts food safety processes.
Given the sensitive nature of this information, it is a risk for any of these systems to be unsecured. However, we also found exposed HACCP systems online. For example, the specification sheet for a piece of software used to store HACCP data (see Figure 9) indicates not only internet connectivity, but also the use of a remote access tool. This means that users of such systems are likely to connect them to the internet (primarily for receiving online support from the vendors), which opens up another avenue for attackers to access the systems remotely.
Figure 9. Sample specification sheet showing features related to HACCP and internet connectivity
As previously mentioned, precision agriculture uses advanced positioning technologies, commonly RTK on top of global navigation satellite system (GNSS) in order to get the millimeter-level accuracy achieved by having a fixed base station for triangulation. This requires receivers to be placed out in the field, and since some data-dependent services might be needed, these devices normally have internet connectivity through cellular service. Most of the time, the devices can be remotely managed through an embedded web server. Using a web interface, the farmer or operator can configure the base station or receiver, download logs, and perform routine maintenance.
This setup also means that positioning receivers are accessible via the internet. In fact, our quick Shodan search for receivers from a popular navigation system vendor (performed on Sept. 12, 2018) identified 92 such receivers.
Figure 10. Exposed base stations using receivers from a popular navigation system vendor
Further investigation revealed that 10 percent of the identified receivers do not have any authentication, meaning anyone who knows the receivers’ IP addresses can read and modify their data and settings. Also, independent research has verified that majority of these devices have default credentials.
As the various phases of food production become increasingly digitized and interconnected, the need arises for a central management platform for viewing, managing, and controlling data. Major vendors offer platforms for managing the various aspects of farm management and operation. These platforms allow the farmer-operator to perform various tasks, such as drawing field maps and defining field borders; creating, deploying, and syncing farm jobs; performing real-time inventory of equipment use and status; managing crop seeding, growth, and harvest inventory; and viewing crop and yield history.
All of this data is valuable to individual farmer-operators. It is therefore vital for them to keep their farm management accounts secure. While we have not seen any phishing attacks aimed at these platforms (yet), the potential impact of a compromised administrator account is devastating. Not only would the attacker have access to critical data, but he would also be able to tamper with equipment or even sabotage a whole planting season.
Unintended consequences on downstream systems
Any vertical in the food production industry consists of many players. In farming, there must be water, electricity, waste water treatment, seed, fertilizer, and equipment vendors. If any of these roles is compromised, then the whole supply chain and ecosystem are at risk.
Unpatched common operating systems and applications
Many displays and controls on farming and food production equipment are just small computers or tablets running off-the-shelf operating systems (OSs) such as the Microsoft® Windows® and Android™ platforms. Any security vulnerability discovered on the base OS will consequently affect devices running the same OS.
We have identified the security risks farmers and operators should be aware of, and highlighted the possible impact of a cyberattack against IoT systems used in the food production industry. At the very least, a successful attack could result in monetary losses, and at worst, it could compromise the food safety of an entire population.
To address the pressing need for tougher cybersecurity in food production, we lay out these recommendations for producers and vendors in this industry:
For farmers, growers, producers, and food processers
The food production industry is becoming more and more dependent on the IoT as population growth, not to mention the recent rise in life expectancy, pushes for higher food demand. New technology is being integrated into many aspects of production, helping maximize efficiency and safety. In particular, the IoT is helping in the gathering and analysis of different forms of data, providing proprietary information and valuable insight to farmers, growers, producers, and food processers.
As the reliance on the IoT grows, people and organizations in the industry have to recognize that securing the technology afforded by the IoT should be of high priority. Ideally, considering the impact a cyberattack or an act of sabotage could have, securing IoT devices and systems in the food production industry should get the same level of attention as the protection of the physical spaces and assets in a tract of farmland.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.